1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Mouse clicking Sound virus

Discussion in 'Malware and Virus Removal Archive' started by efilflah, 2010/07/28.

Page 1 of 2
  1. 2010/07/28
    efilflah

    efilflah Inactive Thread Starter

    Joined:
    2010/07/28
    Messages:
    21
    Likes Received:
    0
    [Resolved] Mouse clicking Sound virus

    Hi there,

    I'm going crazy trying to solve this issue I have, it's really got me stumped.

    A few days ago, I started hearing random mouse click sounds as soon as I started up my system. I thought it was odd because I have all windows sounds disabled.The clicks are random, sometimes just one sometimes a couple and a double click, usually every minute or so.

    So I double checked and they were still disabled. I thought maybe there was something open that was running and making these noises independently but I checked task manager/process xp and couldn't see anything out of the ordinary. I suspect its not my mouse/keyboard because it happens even if they are unplugged.

    This is when I began suspecting it was a virus. Amittedly, I hadn't installed an antivirus on my machine so I instantly downloaded Avira to check my system. It found a few trojans in my temp folders and dealt with them, but it was still happening.

    So i removed my system restore points, booted into safe mode, ran malwarebytes, hijackthis and avira and removed whatever I found.

    But it's still happening, and I'm not sure what else to try. Looking through processxp I notice a couple of suspicious svchosts that if I try to kill, just pop up again.

    Checking the command line option of the Image shows how they started up:
    on all of the legit ones they begin with a command line such as:
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    but in the two suspicious ones they simply say
    svchost.exe 4

    as the command line.

    I've embedded the requested info and hopefully you guys can help me solve this annoying problem.


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Lebictch at 17:42:08.34 on 28/07/2010
    Internet Explorer: 6.0.2900.5512
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.665 [GMT 1:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Elan\USB\ETDUSBCtrl.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    svchost.exe 4
    svchost.exe 4
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Documents and Settings\Lebictch\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://uk.search.yahoo.com/?fr=avantsearch
    uSearch Page = hxxp://uk.search.yahoo.com/?fr=avantsearch
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe "
    mRun: [ETDUSBWare] c:\program files\elan\usb\ETDUSBCtrl.exe
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Notify: AtiExtEvent - Ati2evxx.dll
    IFEO: taskmgr.exe - "c:\applications\processexplorer\PROCEXP.EXE "

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\lebictch\applic~1\mozilla\firefox\profiles\w3btot4w.default\
    FF - plugin: c:\documents and settings\lebictch\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
    FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

    ============= SERVICES / DRIVERS ===============

    R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\si3112r.sys [2004-10-21 97920]
    R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2004-10-21 10240]
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-7-27 11608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-7-27 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-7-27 267432]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-7-27 60936]
    R3 hidflt;Elan HID/USB Mouse Driver;c:\windows\system32\drivers\ETDUSB.sys [2010-3-4 25088]

    =============== Created Last 30 ================

    2010-07-27 17:19:08 0 d-----w- c:\windows\system32\NtmsData
    2010-07-27 17:17:21 0 d-----w- c:\docume~1\lebictch\applic~1\Avira
    2010-07-27 17:13:36 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-07-27 17:13:36 0 d-----w- c:\program files\Avira
    2010-07-27 17:13:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2010-07-26 22:48:50 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2010-07-06 23:41:10 0 d-----w- c:\program files\Tracker Software

    ==================== Find3M ====================

    2010-07-26 22:46:18 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-06-26 15:07:09 271360 ----a-w- c:\windows\system32\drivers\atksgt.sys
    2010-06-26 15:07:08 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys
    2010-05-24 09:31:16 4042 ----a-w- c:\docume~1\lebictch\applic~1\settings.dat

    ============= FINISH: 17:42:19.60 ===============

    Attach.txt:


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 3/4/2010 9:09:16 PM
    System Uptime: 7/28/2010 5:37:15 PM (0 hours ago)

    Motherboard: ASUSTeK Computer INC. | | A7N8X2.0
    Processor: AMD Athlon(tm) XP 3200+ | Socket A | 2145/194mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 112 GiB total, 62.99 GiB free.
    E: is CDROM (CDFS)

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    ATI - Software Uninstall Utility
    ATI Catalyst Control Center
    ATI Display Driver
    µTorrent
    Avant Browser (remove only)
    Avira AntiVir Personal - Free Antivirus
    Cablenut 4.08
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center HydraVision Full
    ccc-core-preinstall
    ccc-core-static
    ccc-utility
    CCC Help English
    CCleaner
    ClearType Tuning Control Panel Applet
    CoreAVC Professional Edition (remove only)
    Google Chrome
    Haali Media Splitter
    Hitman Pro 3.5
    Image Resizer Powertoy for Windows XP
    Java(TM) 6 Update 15
    JDownloader
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 1
    Microsoft .NET Framework 3.0 Service Pack 1
    Microsoft .NET Framework 3.5
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.3)
    MSVCRT
    Notepad++
    NVIDIA Drivers
    NvMixer
    Orca Browser
    PDF-Viewer
    PeerGuardian 2.0
    QT Lite 3.1.1
    Realtek AC'97 Audio
    Segoe UI
    Skins
    SmartPad Software 1.0
    VSO Image Resizer 3.0.1.76
    WebFldrs XP
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows XP Service Pack 3
    WinRAR archiver
    XML Paper Specification Shared Components Pack 1.0

    ==== Event Viewer Messages From Past Week ========

    7/28/2010 5:26:30 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: atapi PCIIde
    7/28/2010 1:52:37 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK7 avgio avipbb Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ssmdrv Tcpip
    7/28/2010 1:52:37 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    7/28/2010 1:52:37 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    7/28/2010 1:51:23 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    7/28/2010 1:51:12 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    7/28/2010 1:38:57 AM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    7/27/2010 6:12:28 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Lebictch\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
    7/27/2010 6:10:57 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
    7/27/2010 6:10:57 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Applications\Anti Virus\avirarkd.exe. Reference error message: The operation completed successfully. .
    7/27/2010 6:10:57 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.

    ==== End Of File ===========================


    Thanks in advance
     
    efilflah,
    #1
  2. 2010/07/28
    Admin.

    Admin. Administrator Administrator Staff

    Joined:
    2001/12/30
    Messages:
    6,680
    Likes Received:
    104
    I see you have P2P software ( Azures, Limewire, BitTorrent, uTorrent etc…) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

    References for the risk of these programs are here, and here.

    I would strongly recommend that you uninstall them, and read the links above for educational value!

    Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at WindowsBBS Malware and Virus removal.

    A Malware expert will have a look at your log in due course.
     
    Admin.,
    #2


  3. to hide this advert.

  4. 2010/07/28
    efilflah

    efilflah Inactive Thread Starter

    Joined:
    2010/07/28
    Messages:
    21
    Likes Received:
    0
    Definitely those 2 svchosts

    Using processxp I've managed to suspend the two suspicious svchosts that were running and the clicking has stopped.

    I think when I tried to kill them earlier, because I can only do it one at a time, one svchost was replacing the closed one before I had a chance to kill them both.

    Hope this helps somewhat.
     
    efilflah,
    #3
  5. 2010/07/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    STEP 1. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt


    STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.



    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #4
  6. 2010/07/28
    efilflah

    efilflah Inactive Thread Starter

    Joined:
    2010/07/28
    Messages:
    21
    Likes Received:
    0
    Thanks for the speedy response:

    MBAM:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4364

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    29/07/2010 01:15:50
    mbam-log-2010-07-29 (01-15-50).txt

    Scan type: Quick scan
    Objects scanned: 132855
    Time elapsed: 5 minute(s), 0 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\Software\Microsoft\idln2 (Malware.Trace) -> No action taken.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER:

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-07-29 01:44:46
    Windows 5.1.2600 Service Pack 3
    Running: mnrzmui8.exe; Driver: C:\DOCUME~1\Lebictch\LOCALS~1\Temp\kwrcapod.sys


    ---- System - GMER 1.0.15 ----

    SSDT EE886EEE ZwCreateKey
    SSDT EE886EE4 ZwCreateThread
    SSDT EE886EF3 ZwDeleteKey
    SSDT EE886EFD ZwDeleteValueKey
    SSDT EE886F02 ZwLoadKey
    SSDT EE886ED0 ZwOpenProcess
    SSDT EE886ED5 ZwOpenThread
    SSDT EE886F0C ZwReplaceKey
    SSDT EE886F07 ZwRestoreKey
    SSDT EE886EF8 ZwSetValueKey

    ---- Kernel code sections - GMER 1.0.15 ----

    init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF7767B8D]
    .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6AF4000, 0x1B85E6, 0xE8000020]
    .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB0186300, 0x3ACC8, 0xE8000020]
    .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xF4001300, 0x1B7E, 0xE8000020]
    ? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Processes - GMER 1.0.15 ----

    Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 3304

    ---- Files - GMER 1.0.15 ----

    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\211KS62Y\adserv[4].htm 19 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3S5LSZOG\st[8] 4508 bytes

    ---- EOF - GMER 1.0.15 ----
     
    efilflah,
    #5
  7. 2010/07/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Your MBAM log says "No action taken" after malicious finding.
    Please, re-run MBAM and fix the issue this time.
     
    broni,
    #6
  8. 2010/07/29
    efilflah

    efilflah Inactive Thread Starter

    Joined:
    2010/07/28
    Messages:
    21
    Likes Received:
    0
    My apologies.

    I've removed it, but it is still happening.
     
    efilflah,
    #7
  9. 2010/07/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    We'll fix that (I can see the culprit), but I still want to see latest MBAM log.

    When done....

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #8
  10. 2010/07/29
    efilflah

    efilflah Inactive Thread Starter

    Joined:
    2010/07/28
    Messages:
    21
    Likes Received:
    0
    Yay! It's always good to identify culprits.

    Latest MBAM Log

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4364

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    29/07/2010 22:39:11
    mbam-log-2010-07-29 (22-39-11).txt

    Scan type: Quick scan
    Objects scanned: 133253
    Time elapsed: 15 minute(s), 54 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Will report back with ComboFix results ASAP.
     
    efilflah,
    #9
  11. 2010/07/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Ok :)
     
    broni,
    #10
  12. 2010/07/29
    efilflah

    efilflah Inactive Thread Starter

    Joined:
    2010/07/28
    Messages:
    21
    Likes Received:
    0
    ComboFix Logo Below:
    I disabled my AV as described in the link above, but ComboFix still said it was running, so I went ahead anyway - Just letting you know


    ComboFix 10-07-29.01 - Lebictch 29/07/2010 23:02:08.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.669 [GMT 1:00]
    Running from: c:\applications\Anti Virus\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Lebictch\Local Settings\Application Data\Windows Server
    c:\documents and settings\Lebictch\Local Settings\Application Data\Windows Server\flags.ini
    c:\documents and settings\Lebictch\Local Settings\Application Data\Windows Server\uses32.dat

    .
    MBR is infected with the Whistler Bootkit !!

    ((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-29 )))))))))))))))))))))))))))))))
    .

    2010-07-28 01:07 . 2010-07-28 01:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
    2010-07-27 17:19 . 2010-07-28 16:33 -------- d-----w- c:\windows\system32\NtmsData
    2010-07-27 17:17 . 2010-07-27 17:17 -------- d-----w- c:\documents and settings\Lebictch\Application Data\Avira
    2010-07-27 17:13 . 2010-07-27 17:13 -------- d-----w- c:\program files\Avira
    2010-07-27 17:13 . 2010-07-27 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-07-27 17:13 . 2010-03-01 09:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-07-27 17:13 . 2010-02-16 13:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-07-27 17:13 . 2009-05-11 11:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-07-27 17:13 . 2009-05-11 11:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-07-26 22:48 . 2010-07-26 22:48 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2010-07-06 23:41 . 2010-07-06 23:41 -------- d-----w- c:\program files\Tracker Software

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-28 00:51 . 2010-07-28 00:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-07-28 00:45 . 2010-03-04 17:13 -------- d-----w- c:\program files\PeerGuardian2
    2010-07-27 23:43 . 2010-05-24 15:57 -------- d-----w- c:\documents and settings\Lebictch\Application Data\uTorrent
    2010-07-27 17:09 . 2010-04-07 17:00 -------- d-----w- c:\program files\CCleaner
    2010-07-26 22:48 . 2010-06-25 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2010-07-26 22:46 . 2010-06-25 20:53 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-07-26 14:07 . 2010-03-04 16:35 -------- d-----w- c:\program files\Orca Browser
    2010-07-24 17:17 . 2010-03-05 20:29 -------- d-----w- c:\program files\JDownloader
    2010-06-26 15:07 . 2010-06-26 15:07 271360 ----a-w- c:\windows\system32\drivers\atksgt.sys
    2010-06-26 15:07 . 2010-06-26 15:07 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys
    2010-06-26 11:16 . 2010-06-26 11:16 -------- d-----w- c:\program files\Deep Silver
    2010-06-26 11:16 . 2010-03-04 22:06 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-06-25 20:49 . 2010-06-25 20:49 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-06-25 20:17 . 2010-06-25 20:17 -------- d-----w- c:\documents and settings\Lebictch\Application Data\Malwarebytes
    2010-06-25 20:17 . 2010-06-25 20:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-06-25 20:17 . 2010-06-25 20:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-06-25 18:41 . 2010-03-29 14:37 -------- d-----w- c:\documents and settings\Lebictch\Application Data\VSO
    2010-06-25 16:21 . 2010-06-25 16:21 -------- d-----w- c:\documents and settings\Lebictch\Application Data\Notepad++
    2010-06-25 16:21 . 2010-06-25 16:21 -------- d-----w- c:\program files\Notepad++
    2010-06-19 17:19 . 2010-06-19 17:19 -------- d-----w- c:\program files\Microids
    2010-06-14 13:47 . 2010-03-04 17:25 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-12 18:49 . 2010-06-12 18:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-06-06 11:22 . 2010-06-06 11:22 -------- d-----w- c:\program files\Cablenut
    2010-06-05 13:18 . 2010-06-05 13:18 0 ----a-w- c:\windows\nsreg.dat
    2010-06-05 12:57 . 2010-06-05 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-05-24 09:31 . 2010-05-24 09:41 4042 ----a-w- c:\documents and settings\Lebictch\Application Data\settings.dat
    .

    ------- Sigcheck -------

    [-] 2010-03-04 . 68F06FE0021B01E670AF37B8C5964FDF . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys
    [7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
    [7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\tcpip.sys
    [7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVMixerTray "= "c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072]
    "ETDUSBWare "= "c:\program files\Elan\USB\ETDUSBCtrl.exe" [2009-02-20 364544]
    "StartCCC "= "c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
    "SoundMan "= "SOUNDMAN.EXE" [2007-04-16 577536]
    "avgnt "= "c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "c:\\Applications\\utorrent.exe "=
    "c:\\Applications\\utorrent2.exe "=
    "c:\\Program Files\\uTorrent185\\uTorrent.exe "=

    R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\si3112r.sys [10/21/2004 3:42 PM 97920]
    R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [10/21/2004 3:42 PM 10240]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/27/2010 6:13 PM 135336]
    R3 hidflt;Elan HID/USB Mouse Driver;c:\windows\system32\drivers\ETDUSB.sys [3/4/2010 4:27 PM 25088]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-06-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-362288127-682003330-1003Core.job
    - c:\documents and settings\Lebictch\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-09 16:06]

    2010-06-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-362288127-682003330-1003UA.job
    - c:\documents and settings\Lebictch\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-09 16:06]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://uk.search.yahoo.com/?fr=avantsearch
    FF - ProfilePath - c:\documents and settings\Lebictch\Application Data\Mozilla\Firefox\Profiles\w3btot4w.default\
    FF - plugin: c:\documents and settings\Lebictch\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npPDFXCviewNPPlugin.dll
    FF - plugin: c:\program files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-29 23:04
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    c:\program files\Internet Explorer\iexplore.exe [2364] 0x8696F860

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(672)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2010-07-29 23:05:26
    ComboFix-quarantined-files.txt 2010-07-29 22:05

    Pre-Run: 67,749,244,928 bytes free
    Post-Run: 67,747,450,880 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

    - - End Of File - - FACC1A0CF6ADC3DBFC5D396CDA3FBBA9
     
    efilflah,
    #11
  13. 2010/07/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You did just fine. You're under 10 posts, so when any link is included in your post, it needs an approval.
    Let me see, what you got there.
     
    broni,
    #12
  14. 2010/07/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
     
    broni,
    #13
  15. 2010/07/29
    efilflah

    efilflah Inactive Thread Starter

    Joined:
    2010/07/28
    Messages:
    21
    Likes Received:
    0
    Hmm, this is what I get.

    Do I have to run it from a specific directory / safe mode?

    MBRCheck, version 1.1.1

    (c) 2010, AD



    \\.\C: --> \\.\PhysicalDrive0



    Size Device Name MBR Status

    --------------------------------------------

    111 GB \\.\PhysicalDrive0 Error reading raw MBR!





    Done! Press ENTER to exit...
     
    efilflah,
    #14
  16. 2010/07/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Rerun MBRCheck.
    Enter 'Y' and hit ENTER for more options and select option "2 ".
    When asked for physical disk number, enter 0 (zero).
    Next, enter 1 (Windows XP) for MBR code.
    Post resulting log.

    ==============================================================

    Also, you didn't follow instructions:
    Please, move Combofix.exe to your desktop.
     
    broni,
    #15
  17. 2010/07/29
    efilflah

    efilflah Inactive Thread Starter

    Joined:
    2010/07/28
    Messages:
    21
    Likes Received:
    0
    ahhh damnit, sorry about that, it says it right there in bright blue, I'm blind!

    Shall I rerun combofix?
     
    efilflah,
    #16
  18. 2010/07/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No.
    Just move Combofix.exe file from c:\applications\Anti Virus folder to your desktop.

    ...and run prescribed MBRCheck fix from my previous reply.
     
    broni,
    #17
  19. 2010/07/29
    efilflah

    efilflah Inactive Thread Starter

    Joined:
    2010/07/28
    Messages:
    21
    Likes Received:
    0
    I reran MBRCheck
    type 'y' and hit enter, and it just closed. No options given.

    I tried again thinking it was case sensitive with a 'Y' but it still closes when I hit enter
     
    efilflah,
    #18
  20. 2010/07/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    It happens, when MBR is badly messed up by a bootkit.

    Restart computer
    When you reboot you will see an option to boot into the Recovery Console or the normal Windows installation.
    You have to use the up/down arrows to choose the Recovery Console. Then press Enter but you only have 2 seconds by default.
    If you find this hard to do then you can go into Control Panel, System, Advanced, Startup and Recovery, Settings. Where it says Time to Display List of Operating Systems, change it to 10 or more seconds. OK Then reboot.

    You should get a black screen with a C:\> prompt. Type with an Enter after each line:

    fixmbr

    (If it asks you if you are sure then say "Y ".)

    exit

    Reboot computer.

    Re-run MBRCheck and post fresh log.
     
    broni,
    #19
  21. 2010/07/29
    efilflah

    efilflah Inactive Thread Starter

    Joined:
    2010/07/28
    Messages:
    21
    Likes Received:
    0
    I ran Fixmbr from the recovery console, it wrote a new MBR, i reran MBRcheck and the same error occurred :(

    MBRCheck, version 1.1.1

    (c) 2010, AD



    \\.\C: --> \\.\PhysicalDrive0



    Size Device Name MBR Status

    --------------------------------------------

    111 GB \\.\PhysicalDrive0 Error reading raw MBR!





    Done! Press ENTER to exit...
     
    efilflah,
    #20
Page 1 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...